Improper Validation of Array Index| ID: 129 | Date: (C)2012-05-14 (M)2022-10-10 | | Type: weakness | Status: DRAFT | | Abstraction Type: Base |
Description The product uses untrusted input when calculating or using an
array index, but the product does not validate or incorrectly validates the
index to ensure the index references a valid position within the array. Likelihood of Exploit: High Applicable PlatformsLanguage: CLanguage: OftenLanguage: C++Language: OftenLanguage Class: Language-independent Time Of Introduction Related Attack Patterns Common Consequences | Scope | Technical Impact | Notes |
|---|
| IntegrityAvailability | DoS: crash / exit /
restart | Use of an index that is outside the bounds of an array will very
likely result in the corruption of relevant memory and perhaps
instructions, leading to a crash, if the values are outside of the valid
memory area. | | Integrity | Modify memory | If the memory corrupted is data, rather than instructions, the system
will continue to function with improper values. | | ConfidentialityIntegrity | Modify memoryRead memory | Use of an index that is outside the bounds of an array can also
trigger out-of-bounds read or write operations, or operations on the
wrong objects; i.e., "buffer overflows" are not always the result. This
may result in the exposure or modification of sensitive data. | | IntegrityConfidentialityAvailability | Execute unauthorized code or
commands | If the memory accessible by the attacker can be effectively
controlled, it may be possible to execute arbitrary code, as with a
standard buffer overflow and possibly without the use of large inputs if
a precise index can be controlled. | | IntegrityAvailabilityConfidentiality | DoS: crash / exit /
restartExecute unauthorized code or
commandsRead memoryModify memory | A single fault could allow either an overflow (CWE-788) or underflow
(CWE-786) of the array index. What happens next will depend on the type
of operation being performed out of bounds, but can expose sensitive
information, cause a system crash, or possibly lead to arbitrary code
execution. |
Detection Methods | Name | Description | Effectiveness | Notes |
|---|
| Automated Static Analysis | This weakness can often be detected using automated static analysis
tools. Many modern tools use data flow analysis or constraint-based
techniques to minimize the number of false positives.Automated static analysis generally does not account for environmental
considerations when reporting out-of-bounds memory operations. This can
make it difficult for users to determine which warnings should be
investigated first. For example, an analysis tool might report array
index errors that originate from command line arguments in a program
that is not expected to run with setuid or other special
privileges. | High | | | Automated Dynamic Analysis | This weakness can be detected using dynamic tools and techniques that
interact with the software using large test suites with many diverse
inputs, such as fuzz testing (fuzzing), robustness testing, and fault
injection. The software's operation may slow down, but it should not
become unstable, crash, or generate incorrect results. | | | | Black Box | Black box methods might not get the needed code coverage within
limited time constraints, and a dynamic test might not produce any
noticeable side effects even if it is successful. | | |
Potential Mitigations | Phase | Strategy | Description | Effectiveness | Notes |
|---|
| Architecture and Design | Input ValidationLibraries or Frameworks | Use an input validation framework such as Struts or the OWASP ESAPI
Validation API. If you use Struts, be mindful of weaknesses covered by
the CWE-101 category. | | | | Architecture and Design | | For any security checks that are performed on the client side, ensure
that these checks are duplicated on the server side, in order to avoid
CWE-602. Attackers can bypass the client-side checks by modifying values
after the checks have been performed, or by changing the client to
remove the client-side checks entirely. Then, these modified values
would be submitted to the server.Even though client-side checks provide minimal benefits with respect
to server-side security, they are still useful. First, they can support
intrusion detection. If the server receives input that should have been
rejected by the client, then it may be an indication of an attack.
Second, client-side error-checking can provide helpful feedback to the
user about the expectations for valid input. Third, there may be a
reduction in server-side processing time for accidental input errors,
although this is typically a small savings. | | | | Requirements | Language Selection | Use a language that does not allow this weakness to occur or provides
constructs that make this weakness easier to avoid.For example, Ada allows the programmer to constrain the values of a
variable and languages such as Java and Ruby will allow the programmer
to handle exceptions when an out-of-bounds index is accessed. | | | | Operation | Environment Hardening | Use a feature like Address Space Layout Randomization (ASLR) [R.129.3]
[R.129.4]. | Defense in Depth | This is not a complete solution. However, it forces the attacker to
guess an unknown value that changes every program execution. In
addition, an attack could still cause a denial of service, since the
typical response is to exit the application. | | Operation | Environment Hardening | Use a CPU and operating system that offers Data Execution Protection
(NX) or its equivalent [R.129.4] [R.129.5]. | Defense in Depth | This is not a complete solution, since buffer overflows could be used
to overwrite nearby variables to modify the software's state in
dangerous ways. In addition, it cannot be used in cases in which
self-modifying code is required. Finally, an attack could still cause a
denial of service, since the typical response is to exit the
application. | | Implementation | Input Validation | Assume all input is malicious. Use an "accept known good" input
validation strategy, i.e., use a whitelist of acceptable inputs that
strictly conform to specifications. Reject any input that does not
strictly conform to specifications, or transform it into something that
does.When performing input validation, consider all potentially relevant
properties, including length, type of input, the full range of
acceptable values, missing or extra inputs, syntax, consistency across
related fields, and conformance to business rules. As an example of
business rule logic, "boat" may be syntactically valid because it only
contains alphanumeric characters, but it is not valid if the input is
only expected to contain colors such as "red" or "blue."Do not rely exclusively on looking for malicious or malformed inputs
(i.e., do not rely on a blacklist). A blacklist is likely to miss at
least one undesirable input, especially if the code's environment
changes. This can give attackers enough room to bypass the intended
validation. However, blacklists can be useful for detecting potential
attacks or determining which inputs are so malformed that they should be
rejected outright.When accessing a user-controlled array index, use a stringent range of
values that are within the target array. Make sure that you do not allow
negative values to be used. That is, verify the minimum as well as the
maximum of the range of acceptable values. | | | | Implementation | | Be especially careful to validate all input when invoking code that
crosses language boundaries, such as from an interpreted language to
native code. This could create an unexpected interaction between the
language boundaries. Ensure that you are not violating any of the
expectations of the language with which you are interfacing. For
example, even though Java may not be susceptible to buffer overflows,
providing a large argument in a call to native code might trigger an
overflow. | | | | Architecture and DesignOperation | Environment Hardening | Run your code using the lowest privileges that are required to
accomplish the necessary tasks [R.129.6]. If possible, create isolated
accounts with limited privileges that are only used for a single task.
That way, a successful attack will not immediately give the attacker
access to the rest of the software or its environment. For example,
database applications rarely need to run as the database administrator,
especially in day-to-day operations. | | | | Architecture and DesignOperation | Sandbox or Jail | Run the code in a "jail" or similar sandbox environment that enforces
strict boundaries between the process and the operating system. This may
effectively restrict which files can be accessed in a particular
directory or which commands can be executed by the software.OS-level examples include the Unix chroot jail, AppArmor, and SELinux.
In general, managed code may provide some protection. For example,
java.io.FilePermission in the Java SecurityManager allows the software
to specify restrictions on file operations.This may not be a feasible solution, and it only limits the impact to
the operating system; the rest of the application may still be subject
to compromise.Be careful to avoid CWE-243 and other weaknesses related to jails. | Limited | The effectiveness of this mitigation depends on the prevention
capabilities of the specific sandbox or jail being used and might only
help to reduce the scope of an attack, such as restricting the attacker
to certain system calls or limiting the portion of the file system that
can be accessed. |
RelationshipsThis weakness can precede uncontrolled memory allocation (CWE-789) in
languages that automatically expand an array when an index is used that is
larger than the size of the array, such as JavaScript. | Related CWE | Type | View | Chain |
|---|
| CWE-129 ChildOf CWE-890 | Category | CWE-888 | |
Demonstrative Examples (Details) - In the code snippet below, an untrusted integer value is used to
reference an object in an array.
- In the following code, the method retrieves a value from an array at
a specific array index location that is given as an input parameter to the
method (Demonstrative Example Id DX-100)
- In the following example the method displayProductSummary is called
from a Web service servlet to retrieve product summary information for
display to the user. The servlet obtains the integer value of the product
number from the user and passes it to the displayProductSummary method. The
displayProductSummary method passes the integer value of the product number
to the getProductSummary method which obtains the product summary from the
array object containing the project summaries using the integer value of the
product number as the array index.
- The following example asks a user for an offset into an array to
select an item. (Demonstrative Example Id DX-90)
- The following example retrieves the sizes of messages for a pop3
mail server. The message sizes are retrieved from a socket that returns in a
buffer the message number and the message size, the message number (num) and
size (size) are extracted from the buffer and the message size is placed
into an array using the message number for the array index.
- The following example takes a user-supplied value to allocate an
array of objects and then operates on the array. (Demonstrative Example Id DX-34)
Observed Examples - CVE-2005-0369 : large ID in packet used as array index
- CVE-2001-1009 : negative array index as argument to POP LIST command
- CVE-2003-0721 : Integer signedness error leads to negative array index
- CVE-2004-1189 : product does not properly track a count and a maximum number, which can lead to resultant array index overflow.
- CVE-2007-5756 : Chain: device driver for packet-capturing software allows access to an unintended IOCTL with resultant array index error.
- CVE-2005-2456 : Chain: array index error (CWE-129) leads to deadlock (CWE-833)
For more examples, refer to CVE relations in the bottom box. White Box Definitions None Black Box Definitions None Taxynomy Mappings | Taxynomy | Id | Name | Fit |
|---|
| CLASP | | Unchecked array indexing | | | PLOVER | | INDEX - Array index overflow | | | CERT C Secure Coding | ARR00-C | Understand how arrays work | | | CERT C Secure Coding | ARR30-C | Guarantee that array indices are within the valid
range | | | CERT C Secure Coding | ARR38-C | Do not add or subtract an integer to a pointer if the
resulting value does not refer to a valid array element | | | CERT C Secure Coding | INT32-C | Ensure that operations on signed integers do not result in
overflow | | | CERT C++ Secure Coding | INT10-CPP | Do not assume a positive remainder when using the %
operator | | | CERT C++ Secure Coding | INT32-CPP | Ensure that operations on signed integers do not result in
overflow | | | CERT C++ Secure Coding | ARR00-CPP | Understand when to prefer vectors over
arrays | | | CERT C++ Secure Coding | ARR30-CPP | Guarantee that array and vector indices are within the valid
range | | | CERT C++ Secure Coding | ARR38-CPP | Do not add or subtract an integer to a pointer or iterator if
the resulting value does not refer to a valid element in the array or
container | |
References: - M. Howard D. LeBlanc .Writing Secure Code 2nd Edition. Microsoft. Section:'Chapter 5, "Array Indexing Errors" Page
144'. Published on 2002.
- Jason Lam .Top 25 Series - Rank 14 - Improper Validation of Array
Index. SANS Software Security Institute. 2010-03-12.
- Michael Howard .Address Space Layout Randomization in Windows
Vista.
- .PaX.
- Microsoft .Understanding DEP as a mitigation technology part
1.
- Sean Barnum Michael Gegick .Least Privilege. Published on 2005-09-14.
- Michael Howard David LeBlanc John Viega .24 Deadly Sins of Software Security. McGraw-Hill. Section:'"Sin 5: Buffer Overruns." Page 89'. Published on 2010.
|
